{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-30T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: RDMA/srpt: Add a check for valid 'mad_agent' pointer",
    "id" : "2426026",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426026"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-366",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nRDMA/srpt: Add a check for valid 'mad_agent' pointer\nWhen unregistering MAD agent, srpt module has a non-null check\nfor 'mad_agent' pointer before invoking ib_unregister_mad_agent().\nThis check can pass if 'mad_agent' variable holds an error value.\nThe 'mad_agent' can have an error value for a short window when\nsrpt_add_one() and srpt_remove_one() is executed simultaneously.\nIn srpt module, added a valid pointer check for 'sport->mad_agent'\nbefore unregistering MAD agent.\nThis issue can hit when RoCE driver unregisters ib_device\nStack Trace:\n------------\nBUG: kernel NULL pointer dereference, address: 000000000000004d\nPGD 145003067 P4D 145003067 PUD 2324fe067 PMD 0\nOops: 0002 [#1] PREEMPT SMP NOPTI\nCPU: 10 PID: 4459 Comm: kworker/u80:0 Kdump: loaded Tainted: P\nHardware name: Dell Inc. PowerEdge R640/06NR82, BIOS 2.5.4 01/13/2020\nWorkqueue: bnxt_re bnxt_re_task [bnxt_re]\nRIP: 0010:_raw_spin_lock_irqsave+0x19/0x40\nCall Trace:\nib_unregister_mad_agent+0x46/0x2f0 [ib_core]\nIPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready\n? __schedule+0x20b/0x560\nsrpt_unregister_mad_agent+0x93/0xd0 [ib_srpt]\nsrpt_remove_one+0x20/0x150 [ib_srpt]\nremove_client_context+0x88/0xd0 [ib_core]\nbond0: (slave p2p1): link status definitely up, 100000 Mbps full duplex\ndisable_device+0x8a/0x160 [ib_core]\nbond0: active interface up!\n? kernfs_name_hash+0x12/0x80\n(NULL device *): Bonding Info Received: rdev: 000000006c0b8247\n__ib_unregister_device+0x42/0xb0 [ib_core]\n(NULL device *):         Master: mode: 4 num_slaves:2\nib_unregister_device+0x22/0x30 [ib_core]\n(NULL device *):         Slave: id: 105069936 name:p2p1 link:0 state:0\nbnxt_re_stopqps_and_ib_uninit+0x83/0x90 [bnxt_re]\nbnxt_re_alloc_lag+0x12e/0x4e0 [bnxt_re]", "A flaw was addressed in the Linux kernel’s RDMA SRPT (SCSI RDMA Protocol Target) subsystem. When unregistering a MAD (Management Datagram) agent, the SRPT module previously performed a non-NULL check on the mad_agent pointer before invoking ib_unregister_mad_agent(). Under rare timing conditions—specifically, concurrent execution of srpt_add_one() and srpt_remove_one()—mad_agent may hold an error value that passes the non-NULL test. This can lead to a NULL pointer dereference and kernel crash when the RoCE driver unregisters an ib_device" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-05-22T00:00:00Z",
    "advisory" : "RHSA-2024:3138",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54274\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54274\nhttps://lore.kernel.org/linux-cve-announce/2025123002-CVE-2023-54274-79a7@gregkh/T" ],
  "name" : "CVE-2023-54274",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}